Network ports can give vital information about applications that access computers over a network. By knowing the applications that use the network and the corresponding network ports, you can create precise firewall rules and configure host computers to allow only useful traffic. By building a network profile and deploying tools to recognize network traffic, you can more effectively detect intruders - sometimes simply by analyzing the network traffic they generate. We began to consider this topic in the first part of the article published in the previous issue of the magazine. It provided basic information about TCP/IP ports as the foundation of network security. Part 2 will describe some network and host methods that can be used to identify applications listening on a network. Later in the article we will talk about how to evaluate the traffic passing through the network.

Blocking network applications

Network attack surface is a common term to describe network vulnerability. Many network attacks take place through vulnerable applications, and the attack surface can be significantly reduced by reducing the number of active applications on the network. In other words, you should disable unused services, install a firewall on the dedicated system to check the legitimacy of traffic, and create a comprehensive access control list (ACL) for the firewall at the network perimeter.

Each open network port represents an application listening on the network. The attack surface of each server connected to the network can be reduced by disabling all non-essential network services and applications. Version Windows Server 2003 surpasses previous versions operating system, since it enables fewer network services by default. However, an audit is still necessary to rediscover installed applications and configuration changes that open unnecessary network ports.

Every open port- A potential backdoor for attackers who exploit spaces in the host application or surreptitiously access the application with another user's name and password (or use another legitimate authentication method). Either way, an important first step to protecting your network is to simply disable unused network applications.

Port scanning

Port scanning is the process of detecting listening applications by actively polling the network ports of a computer or other network device. Being able to read scan results and compare network reports with host port polling results allows you to get a clear picture of the traffic flowing through your network. Knowledge of network topology is important in preparing a strategic plan for scanning specific areas. For example, by scanning a range of external IP addresses, you can gather valuable data about an Internet attacker. Therefore, you should scan your network more often and close all unnecessary network ports.

External firewall port scanning can detect all responding services (such as the Web or email) hosted on internal servers. These servers should also be protected. Configure a familiar port scanner (for example, Network Mapper - Nmap) to scan the desired group UDP or TCP ports. Typically, TCP port scanning is more reliable than UDP scanning due to its deeper feedback with connection-oriented TCP protocols. There are versions of Nmap for both Windows and Unix. Starting a basic scan is easy, although the program offers much more advanced features. To find open ports on the test computer, I ran the command

Nmap 192.168.0.161

Screen 1 shows the results of a scan session - in this case, a Windows 2003 computer in a standard configuration. The data collected from the port scan shows that there are six open TCP ports.

Screen 1: Basic Nmap scan session

• Port 135 is used by the RPC endpoint mapping feature found in many Windows technologies - such as COM/DCOM applications, DFS, event logging, file replication, message queuing, and Microsoft Outlook. This port should be blocked by a firewall at the perimeter of the network, but it is difficult to close it and still maintain Windows functionality.
• Port 139 is used by the NetBIOS session service, which enables the browser to search for other computers, the service sharing files, Net Logon and server service. It is difficult to close, just like port 135.
• Port 445 is used by Windows for file sharing. To close this port, you must block File and Printer Sharing for Microsoft Networks. Closing this port does not prevent the computer from connecting to other remote resources; however, other computers will not be able to connect to this system.
• Ports 1025 and 1026 are opened dynamically and are used by other system Windows processes, in particular various services.
• Port 3389 is used by Remote Desktop, which is not enabled by default, but is active on my test computer. To close the port, go to the Remote tab in the System Properties dialog box and clear the Allow users to connect remotely to this computer check box.

Be sure to search for open UDP ports and close unnecessary ones. The scanning program shows the open ports of the computer that are visible from the network. Similar results can be obtained using tools located on the host system.

Host scan

In addition to using a network port scanner, open ports on the host system can be detected using the following command (run on the host system):

Netstat -an

This command works on both Windows and UNIX. Netstat provides a list of active ports on a computer. On Windows 2003 Windows XP, you must add the -o option to get the corresponding program identifier (PID). Figure 2 shows the Netstat output for the same computer that was previously port scanned. Please note that several ports that were previously active are closed.

Firewall Log Audit

Another useful way to detect network applications that are sending or receiving data over the network is to collect and analyze more data in the firewall log. Deny entries that provide information from the firewall's front end are unlikely to be useful due to the "noise traffic" (eg, worms, scanners, ping testing) that clogs the Internet. But if you log allowed packets from the internal interface, you can see all incoming and outgoing network traffic.

To see the raw traffic data on your network, you can install a network analyzer that connects to the network and records all detected network packets. The most widely used free network analyzer is Tcpdump for UNIX (the Windows version is called Windump), which is easy to install on your computer. After installing the program, you should configure it to work in the mode of receiving all network packets in order to log all traffic, and then connect it to a port monitor on the network switch and monitor all traffic passing through the network. Setting up a port monitor will be discussed below. Tcpdump is an extremely flexible program that can be used to view network traffic using specialized filters and show only information about IP addresses and ports or all packets. It is difficult to view network dumps on large networks without the help of appropriate filters, but care must be taken not to lose important data.

Combining Components

So far we have considered various methods and tools that can help you discover applications using the network. It's time to combine them and show how to determine open network ports. It's amazing how chatty computers are on the network! Firstly, it is recommended to get acquainted with Microsoft document"Service overview and network port requirements for the Windows Server system" ( http://support.microsoft.com/default.aspx?scid=kb;en-us;832017), which lists the protocols (TCP and UDP) and port numbers used by applications and most major Windows Services Server. The document describes these services and the associated network ports they use. It is recommended that you download and print this useful for administrators Windows networks reference guide.

Setting up a network analyzer

It was previously noted that one way to determine the ports used by applications is to monitor traffic between computers using a network analyzer. To see all traffic, you need to connect a network analyzer to a hub or port monitor on the switch. Each port on a hub sees all the traffic from every computer connected to that hub, but hubs are an outdated technology and most companies are replacing them with switches, which provide good performance but are cumbersome to analyze: each switch port only accepts traffic destined for one computer connected to the hub. to this port. To analyze the entire network, you need to monitor the traffic sent to each switch port.

This requires setting up a port monitor (different vendors call it span port or mirrored port) on the switch. Installing a port monitor on a Cisco Catalyst switch from Cisco Systems is easy. You need to register on the switch and activate Enable mode, then go to configure terminal mode and enter the interface number of the switch port to which all monitored traffic should be sent. Finally, you must specify all monitored ports. For example, the following commands monitor three ports Fast Ethernet and forwarding a copy of the traffic to port 24.

Interface FastEthernet0/24 port monitor FastEthernet0/1 port monitor FastEthernet0/2 port monitor FastEthernet0/3 end

IN in this example A network analyzer connected to port 24 will view all outgoing and incoming traffic from computers connected to the first three ports of the switch. To view the created configuration, enter the command

Write memory

Initial analysis

Let's look at an example of analyzing data passing through a network. If you are using a Linux computer for network analysis, you can get a comprehensive understanding of the type and frequency of packets on the network using a program such as IPTraf in Statistical mode. Traffic details can be found using the Tcpdump program.

Port in computer networks is the communication endpoint in the OS. This term also applies to hardware devices, but in software it denotes a logical construct that identifies a specific type of service or process. A port is always associated with the host's IP address or communication protocol type. It completes the session address assignment. A port is identified for each protocol and address using a 16-bit number, also known as a port number. Often specific port numbers are used to identify specific services. Of the several thousand listed, 1,024 known numbers are protected under a special agreement. They define specific types of services on the host. Protocols that primarily use ports are used to control processes. An example is the Transmission Control Protocol (TCP) or the User Datagram Protocol from the Internet protocol suite.

Meaning

TCP ports are not needed over direct point-to-point links where the computers at each end can only run one program at a time. The need for them arose after these machines turned out to be capable of executing more than one program at the same time. They found themselves connected to modern packet-switched networks. In the model client-server architecture ports, applications, and network clients connect to initiate service. They provide multiplexing services after the initial exchange of information is associated with a port number. It is released by switching each instance of request servicing to a dedicated line. A connection is made to a specific number. Thanks to this, additional customers can be served without any waiting.

Details

The UDP and TCP data transfer protocols are used to indicate the destination and source port number in their segment headers. The port number is an unsigned 16-bit number. It can range from 0 to 65535. TCP ports, however, cannot use the number 0. For UDP, the source port is not required. A value equal to zero means its absence. This process connects input or output channels using a transport protocol, port number and IP address over an Internet socket. This process is also known as binding. It makes it possible to receive and transmit information through the network. The operating system network software is used to transmit outgoing data from all application ports to the network. It also forwards incoming network packets by matching the number and IP address. Only one process can be bound to a specific IP address and port combination using the same transport protocol. Application crashes, also called application collisions, occur when multiple programs try to communicate with the same port numbers on the same IP address using the same protocol.

How are they used?

Applications that implement shared services quite often use specially reserved and famous list UDP and TCP ports for receiving customer service requests. This process is also known as listening. It involves receiving a request from a well-known port and establishing a back-to-back conversation between the client and server using the same local port number. Other clients can continue to connect. This is possible because a TCP connection is identified as a chain that consists of local and remote ports and addresses. Standard UDP and TCP ports may be defined by agreement under the control of IANA or the Internet Assigned Numbers Authority. Typically, the core network services, most notably the World Wide Web, use small port numbers, less than 1024. On many operating systems, applications require special privileges to bind to them. For this reason, they are often considered critical to the operation of IP networks. The end client of the connection, on the other hand, tends to use a larger number of them, allocated for short-term use. For this reason, so-called ephemeral ports exist.

Structure

TCP ports are encoded in the packet header of the transport packet. They can easily be interpreted not only by the receiving and transmitting PCs, but also by other components network infrastructure. Firewalls in particular are typically configured to differentiate between packets based on destination port numbers and their source. A classic example of this is redirection. Attempting to connect sequentially to a range of ports on the same computer is also known as port scanning. Such procedures are usually associated with either malicious failure attempts or the fact that network administrators are specifically looking for possible vulnerabilities in order to prevent such attacks. Actions aimed at opening a TCP port are recorded and controlled using computers. This technique uses a number of redundant connections to ensure uninterrupted communication with the server.

Examples of using

The main example in which UDP and TCP ports are actively used is the Internet mail system. The server is used to work with email. Overall it needs two services. The first service is used for transport by email and from other servers. This is achieved using Simple Mail Transfer Protocol (SMTP). The SMTP service application typically listens on TCP port number 25 in order to process incoming requests. Another service is POP or IMAP. They are necessary for client applications in email on user machines in order to receive messages from the server Email. POP services listen for numbers on TCP port 110. All of the above services can run on the same host computer. The port number when this occurs distinguishes the service being requested remote device. If the server listening port number is determined correctly, this parameter for the client is determined from the dynamic range. Clients and server separately in some cases use specific TCP ports that are assigned in IANA. A good example is DHCP. Here the client in any case uses UDP 68, and the server uses UDP 67.

Usage in URLs

Sometimes port numbers are clearly visible on the Internet or on other unified signs information resources, like a URL. HTTP by default uses TCP port 80, and HTTPS uses port 443. There are other variations as well. For example, URL address http://www.example.com:8080/path indicates that the web browser is connecting to 8080 instead of an HTTP server.

List of UDP and TCP ports

As noted earlier, the IANA, or InternetA designated Numbers Authority, is responsible for the global coordination of DNS-Root, IP addressing, and other Internet Protocol resources. These procedures include registering frequently used ports for known Internet services. All port numbers are divided into three ranges: well-known, registered and private or dynamic. Well-known ports are those with numbers from 0 to 1023. They are also called system ports. The requirements for new values ​​in this range are more stringent than for other registrations.

Examples

Examples of ports on the known list include:

• TCP port 443 – HTTPS;
• 21 – File Transfer Protocol;
• 22- Secure Shell;
• 25 – simple mail transfer protocol STMP;
• 53 – domain name system DNS;
• 119 – Network News Transfer Protocol or NNTP;
• 80 – Hypertext Transfer Protocol HTTP;
• 143 – Internet Message Access Protocol;
• 123 – NTP network time protocol;
• 161 - simple network management protocol SNMP.

Registered ports must have numbers from 1024 to 49151. The Internet Assigned Numbers Authority maintains an official list of all known and registered ranges. Frequency or dynamic ports range from 29152 to 65535. One use of this range is temporary ports.

History of creation

The concept of port numbers was developed by the early creators of ARPANET. It was developed in an informal collaboration between the authors software and system administrators. At that time, the term "port number" was not yet used. The remote host number sequence was a 40-bit number. The first 32 bits resembled today's IPv4 address. The most significant ones were the first 8 bits. The less significant part of the number (these are bits 33 to 40) designated an object called AEN. It was a prototype of the modern port number. The creation of a socket number directory was first proposed on March 26, 1972. Network administrators were then called upon to describe each fixed number in terms of network services and its functions. This catalog was subsequently published as RFC 433 in the winter of 1972. It included a list of hosts, their port numbers, and the corresponding function used in each node on the network. The first official port number values ​​were documented in May 1972. At the same time, a special administrative function for maintaining this register was proposed. The first list of TCP ports included 256 AEN values. They were divided into the following ranges:

– from 0 to 63 – standard features the entire network;

— from 64 to 127 – host-specific functions;

— from 128 to 239 – functions reserved for future use;

— from 240 to 255 – any experimental function.

The term AEN, in the early days of the ARPANET, also referred to the name of the socket that was used with the original connection protocol and network management program component, or NCP. In this case, NCP represented the forerunner of modern Internet protocols that use TCP/IP ports.

TCP/IP ports

There are two types of computer-to-computer data exchange - datathunders And sessions. Datagram is a message that does not require confirmation of receipt from the receiving party, and if such confirmation is necessary, the addressee must send a special message himself. To exchange data in this way, the receiving and transmitting parties must strictly adhere to a certain protocol to avoid loss of information. Each datagram is an independent message, and if there are several datagrams on the LAN, their delivery to the addressee, generally speaking, is not guaranteed. In this case, a datagram is usually part of a message, and on most LANs the transmission speed of datagrams is much higher than messages in sessions.

IN session it is assumed that a logical connection is created for the exchange of messages between computers and the receipt of messages is guaranteed. While datagrams can be transmitted at any time, in a session, the session is terminated before the message is transmitted, and the session must be closed when the data exchange is complete.

The operating systems of most computers support multiprogramming mode, i.e. several programs are running simultaneously (several processes running in parallel). With some degree of accuracy, we can say that the process is the final destination for the message. However, because processes are created and terminated dynamically, the sender rarely has enough information to identify the process on another computer. Therefore, it becomes necessary to determine the destination of data based on the functions performed by the processes, without knowing anything about the processes that are implemented by these functions.

In practice, rather than thinking of a process as a final destination, each computer is thought to have a set of destinations called protocol ports. Each port is identified by a positive integer (0 to 65535). In this case, the operating system provides a communication mechanism used by processes to indicate the port on which they are running or the port to which they need access. Typically ports are Buffered, and data arriving at a particular port before a process is ready to receive it will not be lost: it will be queued until the process retrieves it.

To better understand port technology, imagine that you go to a bank to make a deposit. To do this, you need to go to a certain window, where the operator will fill out the documents and you will open an account. In this example, the bank represents a computer, and the bank operators are programs that perform specific work. But the windows are the ports, and each window in the bank is often numbered (1, 2,3 ...).

The same applies to ports, therefore, in order to communicate with a port on another computer, the sender must know both the IP address of the recipient computer and the port number on the computer. Each message contains both the port number of the computer to which the message is addressed, and the number of the source port of the computer to which the response should be sent. This makes it possible to reply to the sender for each process.

TCP/IP ports numbered 0 to 1023 are privileged and are used by network services, which, in turn, run with administrator (super user) privileges. For example, file access service and Windows folders uses port 139, but if it is not running on the computer, then when you try to access this service (i.e., this port) you will receive an error message.

TCP/IP ports 1023 to 65535 are unprivileged and are used by client programs to receive responses from servers. For example, a user's web browser, when accessing a web server, uses port 44587 of his computer, but accesses port 80 of the web server. Having received the request, the web server sends a response to port 44587, which is used by the web browser.

Transport layer

Task transport layer is the transfer of data between various applications running on all network nodes. After the packet is delivered via IP to the receiving computer, the data must be sent to a special recipient process. Each computer can run multiple processes, and an application can have multiple entry points, acting as a destination for data packets.

Packets arriving at the transport layer of the operating system are organized into multiple queues at entry points various applications. In TCP/IP terminology, these entry points are called ports.

Transmission Control Protocol

Transmission Control Protocol(TCP) (Transmission Control Protocol) is a mandatory protocol of the TCP/IP standard, defined in RFC 793, "Transmission Control Protocol (TCP)".

TCP is a transport layer protocol that provides transportation (transmission) of a data stream, with the need to first establish a connection, thereby guaranteeing confidence in the integrity of the received data, and also performs a repeated request for data in the event of data loss or corruption. In addition, the TCP protocol monitors duplicate packets and, if detected, destroys duplicate packets.

Unlike the UDP protocol, it guarantees the integrity of the transmitted data and the sender’s confirmation of the results of the transfer. Used in file transfers where the loss of one packet can corrupt the entire file.

TCP achieves its reliability by:

• Data from the application is divided into blocks of a certain size that will be sent.
• When TCP sends a segment, it sets a timer, waiting for an acknowledgment of that segment to arrive from the remote end. If an acknowledgment is not received after time has elapsed, the segment is retransmitted.
• When TCP receives data from the remote side of the connection, it sends an acknowledgment. This acknowledgment is not sent immediately, but is usually delayed for a fraction of a second.
• TCP calculates a checksum for its header and data. This is a checksum calculated at the ends of the connection, the purpose of which is to detect any change in data during transmission. If a segment arrives with an incorrect checksum, TCP discards it and no acknowledgment is generated. (The sender is expected to time out and retransmit.)
• Since TCP segments are transmitted as IP datagrams, and IP datagrams can arrive randomly, TCP segments can also arrive randomly. After receiving the data, TCP can resequence it as needed, so that the application receives the data in the correct order.
• Since an IP datagram can be duplicated, the receiving TCP must discard the duplicated data.
• TCP provides flow control. Each side of a TCP connection has a specific buffer space. TCP on the receiving end allows the remote end to send data only if the recipient can fit it into a buffer. This prevents slow hosts from overflowing their buffers with fast hosts.

• The sequence number serves two purposes:
• If the SYN flag is set, then this is the initial value of the sequence number - ISN (Initial Sequence Number), and the first byte of data that will be transmitted in the next packet will have a sequence number equal to ISN + 1.
• Otherwise, if SYN is not set, the first byte of data transmitted in a given packet has this sequence number.
• Acknowledgment Number - If the ACK flag is set, then this field contains the sequence number expected by the recipient next time. Marks this segment as confirmation of receipt.
• Header length is specified in 32-bit words.
• Window size is the number of bytes that the recipient is ready to receive without confirmation.
• Checksum - includes pseudo header, header and data.
• Urgency indicator - indicates the last byte of urgent data that must be responded to immediately.
• URG - urgency flag, includes the "Urgency Indicator" field; if =0, then the field is ignored.
• ACK - confirmation flag, includes the “Acknowledgment number” field, if =0 then the field is ignored.
• PSH - the flag requires a push operation, the TCP module must urgently transfer the packet to the program.
• RST - connection interrupt flag, used to refuse a connection
• SYN - sequence number synchronization flag, used when establishing a connection.
• FIN - end of transmission flag from the sender's side

Let's look at the header structure TCP using Wireshark network analyzer:

TCP ports

Since several programs can be running on the same computer, to deliver a TCP packet specific program, each program's unique identifier or port number is used.

Port number is a conditional 16-bit number from 1 to 65535 indicating which program the package is intended for.

TCP ports use a specific program port to deliver data transmitted using the Transmission Control Protocol (TCP). TCP ports are more complex and work differently than UDP ports. While a UDP port acts as a single message queue and as the entry point for a UDP connection, the final entry point for all TCP connections is a unique connection. Each TCP connection is uniquely identified by two entry points.

Each individual TCP server port can offer general access to multiple connections because all TCP connections are identified by two values: an IP address and a TCP port (socket).

All TCP port numbers that are less than 1024 are reserved and registered with the Internet Assigned Numbers Authority (IANA).

UDP and TCP port numbers do not overlap.

TCP programs use reserved or well-known port numbers, as shown in the following figure.

Establishing a TCP connection

Let's now see how TCP connections are established. Suppose a process running on one host wants to establish a connection with another process on another host. Recall that the host that initiates the connection is called the "client", while the other host is called the "server".

Before transmitting any data, according to the TCP protocol, the parties must establish a connection. The connection is established in three stages (TCP "triple handshake" process).

• The requester (usually called the client) sends a SYN segment indicating the port number of the server to which the client wants to connect and the client's original sequence number (ISN).
• The server responds with its SYN segment containing the server's original sequence number. The server also acknowledges the arrival of the client's SYN using ACK (ISN + 1). A single sequence number is used per SYN.
• The client must acknowledge the arrival of a SYN from the server with its SYN segments containing the client's original sequence number (ISN+1) and using an ACK (ISN+1). The SYN bit is set to 0 because the connection is established.

Once the TCP connection is established, these two hosts can transmit data to each other, since the TCP connection is full duplex, they can transmit data simultaneously.

The TCP/IP protocol is the foundation of the Internet, through which computers send and receive information from anywhere in the world, regardless of geographic location. Accessing a TCP/IP computer in another country is as easy as accessing a computer in the next room. The access procedure is identical in both cases, although connecting to a machine in another country may take a few milliseconds longer. As a result, citizens of any country can easily shop on Amazon.com; however, due to logical proximity, the task becomes more complicated information security: Any owner of a computer connected to the Internet anywhere in the world can try to establish an unauthorized connection with any other machine.

It is the responsibility of IT professionals to install firewalls and systems to detect suspicious traffic. Packet analysis retrieves information about the source and destination IP addresses and the network ports involved. The value of network ports is not inferior to IP addresses; these are the most important criteria for separating useful traffic from fake and harmful messages entering and leaving the network. Most Internet network traffic consists of TCP and UDP packets, which contain information about the network ports that computers use to route traffic from one application to another. A prerequisite for firewall and network security is for the administrator to have a thorough understanding of how computers and network devices use these ports.

Studying ports

Knowledge of the basic principles of network ports operation is useful to anyone system administrator. With a basic understanding of TCP and UDP ports, an administrator can independently diagnose a failed network application or protect a computer that will access the Internet without calling a network engineer or firewall consultant.

The first part of this article (consisting of two parts) describes the basic concepts necessary to discuss network ports. The place of network ports in the overall network model and the role of network ports and NAT (Network Address Translation) will be shown. network addresses) firewall on company computer connections to the Internet. Finally, network points will be indicated at which it is convenient to identify and filter network traffic on the corresponding network ports. Part 2 looks at some of the ports used by common applications and operating systems and introduces some tools for finding open network ports.

Brief overview of network protocols

TCP/IP is a set of network protocols through which computers communicate with each other. The TCP/IP suite is nothing more than pieces of software code installed in the operating system that provide access to these protocols. TCP/IP is a standard, so TCP/IP applications on Windows computer should successfully communicate with a similar application on a UNIX machine. In the early days of networking, in 1983, engineers developed the seven-layer OSI interconnection model to describe computer networking processes, from cable to application. OSI model consists of physical, channel, network, transport, session data representation and application layers. Administrators who constantly work with the Internet and TCP/IP primarily deal with the network, transport and application layers, but for successful diagnostics it is necessary to know other layers. Despite the advanced age of the OSI model, it is still used by many specialists. For example, when a network engineer talks about Layer 1 or Layer 2 switches, or a firewall vendor talks about Layer 7 control, they are talking about the layers defined in the OSI model.

This article talks about network ports located at layer 4 - transport. In the TCP/IP suite, these ports are used by the TCP and UDP protocols. But before we get to detailed description one layer, you need to briefly familiarize yourself with the seven OSI layers and the role they play in modern TCP/IP networks.

Layers 1 and 2: Physical cables and MAC addresses

Layer 1, physical, represents the actual medium through which the signal travels, such as copper cable, fiber optic cable, or radio signals (in the case of Wi-Fi). Layer 2, data link, describes the data format for transmission in the physical medium. At Layer 2, packets are organized into frames and basic flow control and error handling functions can be implemented. IEEE 802.3, better known as Ethernet, is the most widely used Layer 2 standard in today's local networks. A typical network switch is a Layer 2 device through which multiple computers physically connect and exchange data with each other. Sometimes two computers cannot connect to each other even though the IP addresses appear to be correct: the problem may be caused by errors in the Address Resolution Protocol (ARP) cache, indicating a problem at layer 2. In addition, some wireless points access points (Access Point, AP) provide filtering MAC addresses, allowing connection to the wireless AP only network adapters with a specific MAC address.

Layers 3 and 4: IP addresses and network ports

Layer 3, networking, supports routing. In TCP/IP, routing is implemented in IP. The packet's IP address belongs to Layer 3. Network routers are Layer 3 devices that analyze packet IP addresses and forward the packets to another router or deliver packets to local computers. If a suspicious packet is detected on the network, the first step is to check the IP address of the packet to determine the origin of the packet.

Together with the network layer, layer 4 (transport) is a good starting point for diagnosing network problems. On the Internet, Layer 4 contains the TCP and UDP protocols and information about the network port that associates a packet with a specific application. A computer's networking stack uses a TCP or UDP network port association with an application to direct network traffic to that application. For example, TCP port 80 is associated with a Web server application. This mapping of ports to applications is known as a service.

TCP and UDP are different. Essentially, TCP provides reliable connection to exchange data between two applications. Before communication can begin, the two applications must establish a connection by completing the three-step TCP handshake process. UDP is more of a fire-and-forget approach. The reliability of the connection for TCP applications is ensured by the protocol, but the UDP application has to independently check the reliability of the connection.

The network port is a number between 1 and 65535 that is specified and known to both applications between which communication is being established. For example, a client typically sends an unencrypted request to a server at a target address on TCP port 80. Typically, a computer sends a DNS request to a DNS server at a target address on UDP port 53. The client and server have a source and destination IP address, and the source and destination network port, which may vary. Historically, all port numbers below 1024 are called "known port numbers" and are registered with the Internet Assigned Numbers Authority (IANA). On some operating systems only system processes can use ports in this range. Additionally, organizations can register ports 1024 through 49151 with IANA to associate the port with their application. This registration provides a structure that helps avoid conflicts between applications attempting to use the same port number. However, in general, there is nothing to prevent an application from requesting a specific port as long as it is not occupied by another active program.

Historically, the server could listen on low-numbered ports, and the client could initiate a connection on a high-numbered port (above 1024). For example, a Web client might open a connection to a Web server on destination port 80, but associate a randomly selected source port, such as TCP port 1025. When responding to the client, the Web server addresses the packet to the client with source port 80 and destination port 1025. The combination of an IP address and port is called a socket and must be unique on the computer. For this reason, when setting up a Web server with two separate Web sites on the same computer, you must use multiple IP addresses, such as address1:80 and address2:80, or configure the Web server to listen on multiple network ports, such as address1:80 and address1:81. Some Web servers allow multiple Web sites to run on a single port by requesting a host header, but this function is actually performed by the Web server application over more than one port. high level 7.

As networking capabilities became available in operating systems and applications, programmers began using port numbers higher than 1024 without registering all applications with IANA. By searching the Internet for any network port, you can usually quickly find information about applications that use that port. Or you can search for Well Known Ports and find many sites that list the most common ports.

When blocking network applications on a computer or troubleshooting firewall flaws, most of the work comes from classifying and filtering Layer 3 IP addresses and Layer 4 protocols and network ports. To quickly distinguish between legitimate and suspicious traffic, you should learn to recognize the 20 most widely used ones in the enterprise TCP and UDP ports.

Learning to recognize and become familiar with network ports goes beyond assigning firewall rules. For example, some Microsoft security patches describe how to close NetBIOS ports. This measure helps limit the spread of worms that penetrate through vulnerabilities in the operating system. Knowing how and where to close these ports can help reduce network security risks while preparing to deploy a critical patch.

And straight to level 7

It's rare to hear about Layer 5 (session) and Layer 6 (presentation) these days, but Layer 7 (application) is a hot topic among firewall vendors. The newest trend in network firewall development is Layer 7 inspection, which describes the techniques used to analyze how an application is performing against network protocols. By analyzing the payload of a network packet, a firewall can determine whether the traffic passing through it is legitimate. For example, a Web request contains a GET statement inside a Layer 4 packet (TCP port 80). If your firewall has Layer 7 functionality, you can verify that the GET statement is correct. Another example is that many peer-to-peer (P2P) file sharing programs can hijack port 80. As a result, an outsider can configure the program to use a port of their own choosing - most likely a port that should be left open in a given firewall. If a company's employees need access to the Internet, port 80 must be opened, but to distinguish legitimate Web traffic from P2P traffic directed by someone to port 80, the firewall must provide layer 7 control.

Role of the firewall

Having described the network layers, we can move on to describe the mechanism for communication between network applications through firewalls, focusing on Special attention network ports used. IN following example The client browser communicates with the Web server on the other side of the firewall, just as a company employee communicates with a Web server on the Internet.

Most Internet firewalls operate at layers 3 and 4 to examine and then allow or block incoming and outgoing network traffic. In general, the administrator writes access control lists (ACLs) that define the IP addresses and network ports of traffic that is blocked or allowed. For example, to access the Web, you need to launch a browser and point it at the Web site. The computer initiates an outgoing connection by sending a sequence of IP packets consisting of a header and payload information. The header contains route information and other packet attributes. Firewall rules are often written with routing information in mind and typically contain the source and destination IP addresses (layer 3) and the packet protocol (layer 4). When moving around Web IP address The destination belongs to the Web server, and the protocol and destination port (by default) are TCP 80. The source IP address is the address of the computer from which the user accesses the Web, and the source port is usually a dynamically assigned number greater than 1024. Helpful information independent of the header and generated by the user's application; in this case, it is a request to the Web server to provide a Web page.

The firewall analyzes outgoing traffic and allows it according to the firewall rules. Many companies allow all outbound traffic from their network. This approach simplifies configuration and deployment, but reduces security due to the lack of control over the data leaving the network. For example, a Trojan horse can infect a computer on a business network and send information from that computer to another computer on the Internet. It makes sense to create access control lists to block such outgoing information.

In contrast to the outgoing approach of many firewalls, most are configured to block incoming traffic. Typically, firewalls only allow incoming traffic in two situations. The first is traffic arriving in response to an outgoing request sent previously by the user. For example, if you specify the address of a Web page in the browser, the firewall allows access to the network program code HTML and other components of a Web page. The second case is the placement of an internal service on the Internet, such as mail server, Web or FTP site. Hosting such a service is usually called port translation or server publishing. The implementation of port translation varies among firewall vendors, but the underlying principle is the same. The administrator defines a service, such as TCP port 80 for the Web server and a back-end server to host the service. If packets enter the firewall through the external interface corresponding to this service, then the port translation mechanism forwards them to a specific computer on the network hidden behind the firewall. Port translation is used in conjunction with the NAT service described below.

NAT Basics

With NAT, multiple computers in a company can share a small public IP address space. A company's DHCP server can allocate an IP address from one of the private, Internet-non-routable IP address blocks defined in Request for Comments (RFC) No. 1918. Multiple companies can also share the same private IP address space. Examples of private IP subnets are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Internet routers block any packets directed to one of the private addresses. NAT is a firewall feature that allows companies using private IP addresses to communicate with other computers on the Internet. The firewall knows how to translate incoming and outgoing traffic to private internal IP addresses so that every computer can access the Internet.